If you (or anyone you work with or for) is still having trouble getting their heads round all the PCI Compliance rules, regulations, red-tape and general annoyance, or if you have recently taken on new staff who missed all the training first time round, you might be interested in the PCI Foundation Course being run in May by IT Governance.  (With similar course scheduled later in the year if you are reading this later than May!)

The course is designed for anyone with any responsibility for, or involvement in, your organisation’s PCI DSS compliance activities, and anyone involved in information security management generally.  It has been created and designed by a former QSA (Qualified Security Assessor) who knows all the ins and outs of PCI compliance and aims to give you a comprehensive and practical coverage of all aspects of implementing the PCI DSS in the “real world” – rather than just on paper where everything is always so much easier!

It is designed to help you develop an efficient, cost-effective plan for meeting the PCI compliance standards. You can find out more about it here: PCI Foundation Training Course

Just to be clear, the link above is an affiliate link which means you get the same price (and discounts) as anyone else visiting the IT Governance website directly, but if you do choose to book, IT Governance pay us a small comission for letting you know about them.  But regardless of whether they pay us or not, we would still be telling you about this because we know how much of a pain PCI Compliance is for a lot of charities and we think this course can help.

The volume and size of the hoops you need to jump through depends on the number of credit card transactions you do.  So at least if you are a small charity taking relatively few credit card payments, you won’t have to meet the same high-cost audit requirements of the huge retail organisations.  Here is a very brief summary of the criteria you need to meet:

Level 1 – If you take over 6 million transactions a year, or your data has previously been compromised

• Annual Onsite Security Audit  – either reviewed by a specially qualified adviser or (by prior agreement with your merchant provider) an Internal Audit signed by an officer of the company
• Quarterly network security scan by an Approved Scanning Vendor (ASV)

Level 2 – If you take 1,000,000 to 6 million transactions a year

• Annual Self Assessment Questionnaire
• Quarterly Scan by an Approved Scanning Vendor (ASV)

Level 3 – If you take 20,000 to 1,000,000 transactions a year

• Quarterly Scan by an Approved Scanning Vendor (ASV)
• Annual Self Assessment Questionnaire

Level 4 – If you take less than 20,000 transactions

• Annual Self Assessment Questionnaire
• Possible Quarterly Scan by an Approved Scanning Vendor (depends on your merchant providers specific requirements)

As you can see from the list above, even though PCI DSS is (supposedly at least) an agreed standard, it’s interpretation depends on your specific merchant provider – and so you need to double-check with them as to the exact requirements your charity needs to meet.

If you are not an IT compliance expert, the whole Self Assessment Questionnaire and Quarterly Scan thing can appear incredibly scary and time consuming. 

There are a number of qualified experts our there (QAS) who can help,  and if you take enough credit card transactions to need to meet the higher level criteria you are probably going to want to ask for their help, but (due to the training, certification and insurance requirements they themselves need to maintain) their services are not particularly cheap.  So for smaller organisations, a DIY approach, probably with help from your internal or external IT experts, is going to be the most likely route to take.

As well as consulting your IT experts, there are a number of organisations who provide “fill in the gaps” type toolkits to help you complete your PCI DSS requirements with the minimum of pain, and a number of organisations who can provide those quarterly scans for a relatively low charge.  Here are a couple we have looked at, an internet search will no doubt yield a lot more:

• IT Governance PCI Toolkit -  A specially designed toolkit to help payment card-accepting organisations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2), containing a full set of documentation templates for the all mandatory PCI DSS policies.
     
• IT Governance ASV Scanning Service - Provides a fixed yearly contract service for scans by an Approved Scanning Vendor based on number of external IP addresses to be scanned – prices (at time of writing) from £165 for a one year contract for 10 scans per quarter across up to 5 IP addresses

Just to be clear, some of the links above are affiliate links –  which means you get the same price (and discounts) as anyone else visiting the destination websites directly, but if you do choose to buy, the website owners pay us a small comission for letting you know about them.  But regardless of whether they pay us or not, we would still be telling you about this because we know how much of a pain PCI Compliance is for a lot of charities and we think these products can really help.

If you store, process or transmit any cardholder data electronically or manually, then your organisation needs to comply with the Payment Card Industry Data Security Standard (PCI DSS) – and prove it - by 1st September this year.  And if your organisation doesn’t comply, you run the risk of a massive fine.

PCI DSS is a set of comprehensive requirements for enhancing payment account data security.  It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, in order to ensure the broad adoption of consistent data security measures on a global basis.

It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures – all designed to help proactively protect customer account data. 

It includes a whole range of requirements, including rules about what data you can and cannot store and what levels of security your organisation and systems network must meet.

It is important  realise that it covers your entire trading environment, including all third-party partners that store, process or transmit data for you as part of your credit card payment process.  Third parties include:

You can’t just assume that your website host or any third-party organisation you use will deal with this – the buck stops with you and you will need to make sure that all your providers, facilities and software comply before you can achieve compliance. 

More to follow soon ….

This time round we take a look at the most common methods available to send out “bulk” emails,  i.e.  emails to many recipients (like newsletters and appeals) as opposed to just a few recipients. 

There are three major ways of sending out bulk emails:

• Via your own email client (like Outlook) – either by placing all recipients in the BCC field or by using an email distribution list
   
• Via  a program specifically designed for sending bulk emails that is installed on a PC or server at your offices
   
• Via a specialist bulk email sending company like AWeber, Constant Contact or Sign-Up.to

All have pros and cons.  Here are some of the key ones and our personal advice on where you can benefit – or slip up – using each of them.

Your own email client

Pros:

• It’s immediately available – probably already running on your desktop, so nothing more to pay.
   
• You already know how to use it.

Cons:

• It is incredibly easy to make a mistake and put recipient addressed in the To or CC field of the email – meaning that every recipients email address is sent to every person and your organisation has instantly breached both UK Data Protection laws and spam laws in every continent!
   
• You need to remember to put in the legal “stuff” (like registered addresses and unsubscription links) in to each email.
   
• You need to manage subscribe and unsubscribe requests yourself.
   
• Emails to more than a few recipients are likely to get blocked by the spam filters on your local PC or your email server.
   
• The sudden volume of outbound emails may be a lot for your email server to handle all at one time, resulting in other day-to-day emails being delayed while you server works to handle your mailing.
   
• If you mess anything up and your email domain gets onto any spam blacklists, you may well stop all email from your organisation from getting through and bring email communication to a total halt until you can get your organisations email server de-listed.
  Even if you do it perfectly, someone can still report you for spam and it will be up to you to prove your innocence.   In the world of spam blacklisting you are sadly often deemed guilty until proven innocent!
   
• You will need to understand what all the non-delivery reports you get back mean in order to manage re-sends and mail list removals.
  If you don’t know the difference between a “hard bounce” and a “soft bounce” – and their error codes – and what you need to do if you get one or more of each type to an email address within a certain time period to keep on the right-side of spam laws, then this probably isn’t the right solution for you!

Our view:

We wouldn’t recommend this unless you only have a few (under 50) subscribers and really understand what you are doing when it comes to email legalities and email delivery and error report codes.
 

Dedicated bulk email program on your PC

Pros:

• They are relatively cheap to buy and you don’t have many (if any) further costs.
   
• They are relatively easy to use and many provide additional features – to help you design good looking emails for example or to automatically add the “legal” bits for example.

Cons:

• Most of the disadvantages listed above for personal email clients (other than the first one).
   
• By default, most use their own email server software to send and track emails, so you need to make sure that any anti-spam settings on your outward server (or even possibly your ISP) are configured to expect bulk emails from it.
   
• Not all of them are particularly accurate at tracking whether emails have reached their destination or not. As well as messing up your statistics, this can lead to you re-sending emails that were incorrectly reported as not having gone through but really had done – leading to subscribers receiving multiple copies which at best will annoy them and at worst may see you being incorrectly reported as a spammer.
   
• If your email recipients are split over several lists, not all of them are able to flag up duplicate sends where the same email address it in multiple lists – which means that subscribers receive multiple copies, with the same results as above.
   

Our view:

This can be a cheap and effective solution.  But you really understand what you are doing when it comes to email legalities and email delivery and error report codes.  If a paid member of staff is handling this, don’t forget to take into consideration the cost of their time learning and administering the program into account – these “hidden” ongoing costs can mean that this isn’t always the cheap and easy solution it appears to be.

Specialist bulk email sending company

Pros:

• They handle all the “legal bits” for you – all you need to worry about is the content!
   
• They have their own email deliver servers, which are specially designed to handle large volumes of emails quickly and efficiently.
   
• Most provide easy to use software for designing your emails as part of the package.
   
• Some include special checking software that you can run to ensure that your email isn’t likely to fall foul of spam filters or other reasons for non-delivery.
   
• Their software automatically handles subscribe and unsubscribe requests for you.
   
• Most provide extra email features like auto-responders that allow follow-up messages to be scheduled and sent automatically.
   
• Some include integration to other information delivery methods such as Twitter and Facebook, allowing you to reach donors and supporters in many different mediums via one single place.
   
• Most include tracking and analytical tools that enable you to quickly and easy monitor deliver and read rates – and report and analyse trends over time or a particular campaign.
   
• If anyone should make a spam complaint about one of your emails sent using one of these services, the company will help sort things out.  And in the meantime, your own organisations day-to-day email won’t be affected.
   

Cons:

• Some offer low price (or free) trials for low subscriber numbers and/or time periods, but after that you will need to pay a monthly or yearly charge which depending on your subscriber numbers (and how often you mail then) can be significant – so costs can mount up unexpectedly if you don’t keep an eye on numbers.
   
• In order to ensure that they stay on the right side of spam legislation (and don’t have their other customers emails blocked) most impose restrictions on the methods by which you can add subscribers.  Though uploading your existing subscriber-base should be no problem, many require that new subscribers are added using “double opt-in” and some specifically ban you from using emails from purchased marketing email lists.
   
• Your subscriber data (email name at minimum) needs to be stored on their servers, so you (or subscribers) may have concerns about privacy or data confidentiality.  In practice this isn’t normally a real problem at all (all the specialist companies have tight security procedures) but there may be a perceived risk.  And if you are using a company whose servers are not based in the UK, you may need to check (and possibly amend) your own organisations published privacy policy.
   
• You are not totally in control of the whole email delivery mechanism – which some organisation may not be comfortable with.  Also subscribers may worry that their email address has been shared with others if  they see a mention of another organisation at the end of your emails (like the Sign-Up.to one at the end of our newsletters) or when subscribing or unsubscribing.  In practice, most internet users are well used to this concept and unworried by it, but if your subscriber base is more conservative or less “internet savvy” then you might need to give them extra reassurance.
   

Our view:

If you have thousands of subscribers, this probably the only practical solution unless you want to employ (or train to be) an email delivery specialist and your email servers really have the capacity to handle the huge volume of email. 

If you have fewer subscribers, you need to balance the benefits against the costs.  Make  sure you take into account not only the time spent sending the emails, but the measured risk to your organisation if you did end up on a spam blacklist – and the time and effort to get off it, which after having to do this for other organisations ourselves we can vouch can be a painful and costly process and one which is best avoided!

Though we are IT specialists and a lot of our time is spent working with email delivery in some shape form (so we do have some level of expertise in this area), this is the solution we choose to use ourselves.  Even though our mailing list is pretty tiny compared to some of the organisations we work with, we still find that outsourcing this part of our communication to an outside specialist organisation saves us time and money overall.

There are both silly and sensible prizes to be won, including 2 months of free telephone/remote support.

You don’t have to be an artistic or green-fingered genius to win so why not give it a go.  Just visit:

               http://www.charitysolutions.co.uk/summer.html

and fill in the form there or give us a ring or email your details to sales@charitysolutions.co.uk  and we will take it from there.

Please do at least think about entering – and pass the message on to anyone you know who also works for a UK charity.  While we don’t want to give current entry numbers away, let’s just say that the odds of winning are currently in your favour!

Take Skype for example. Skype – and other similar services such as Gizmo – allow users to make telephone calls over the internet to other users of the same service free of charge. This communication method has its benefits although there are a few potential downsides that you need to consider as well.

Services such as Skype are fast gaining in popularity. Calling between computers both using the chosen service is completely free, obviously an appealing feature to many people. Most of the services also offer the ability to call “normal” telephone numbers (mobile or land lines) at fairly competitive rates – often really competitive for international calls. Some providers also provide an additional service that (for a monthly or yearly fee) provides you with an incoming phone number. This is a fantastic way to get a number in (depending on the provider) the town or country you want – giving you a pseudo-presence there and making it cheaper for you colleagues, or supporters in that area to call you.

However, though the services are generally reliable, we would not advise relying on them as your only method of telephony – incoming or outgoing. If the service does fail (as happened for several days last year to many SkypeIn users for example) you will be left without any method of telephone contact – which not only will cause major inconvenience but does little for your professional profile.

According to the majority of users the audio is generally superb but the big question is really is it secure to use in an office environment? Each provider will have their own individual security features, so let’s take Skype as an example.

When calling Skype to Skype the calls are strongly encrypted so therefore at the higher end in the security stakes compared to other things that use the internet. If using Skype to call to mobile or landlines however, the calls are only encrypted for the Skype portion and not when they hit the public domain. This is fine if you have offices dotted about the country, or world, and you can implement a company-wide policy of Skype usage between offices, but if you are a smaller organisation mainly communicating with customers using a regular landline/mobile service you cannot guarantee the complete security of the conversations. This is not to say that using Skype is more of a threat to charities than other ‘techie’ tools, such as email, but because Skype is newer the vulnerabilities may not be as well known.

Compliance and protection of information within organisations is also a hot topic these days. Organisations need not only to know what information is entering and leaving the office but also to log and archive it as well. It is difficult for third party applications (ie monitoring tools) to interface with Skype. This makes it very difficult to know exactly what information is entering or leaving the organisation. Sensitive information could be passed on with no way of tracking where and from whom it originated.

Perhaps the answer is not to ban Skype flat-out but if you are going to consider its use, then control it – as you do with email. Policies on acceptable usage, such as no file transfers, and cautions against using it for sensitive communications, should be written and enforced.

Any comments, queries or suggestions for follow up topics that you would like us to cover? Just leave a comment or contact us (details on the About Us page) and we will do our best to help.

First of all, forget about the hype and get back to basics. Remember the recycling mantra:

• - Reduce
• - Reuse
• - Recycle

Reduce is an easy one. Ensuring your computers and printers are shut down at night and not just left on standby will cut down on wasteful power consumption and immediately improve your green footprint. Remember to also switch off monitors when not in use – you can adjust the settings to switch off after a certain period of inactivity. Laptops (and even some PCs) can be set to go into a standby lower power mode if not used for a set period.

Reducing your office paper consumption is another hot issue. You could use less by using both sides and thinking before you print – do you really need ten copies in full colour? Using cheaper low-grade or recycled paper for general use and keeping high-quality paper usage to a minimum is another simple green solution.

Also, don’t forget that a lot of the simple greener changes you have probably already made at home can be carried over into the office – like using low energy bulbs and rechargeable batteries.

Reuse your IT equipment for as long as it is practical and economical. Upgrade only when extra features, speed or processing power is essential – or if the equipment is particularly old and “power hungry”. Some organisations use snazzy new computers that are far more powerful than necessary to run simple office applications. Older machines with less powerful processors could simply be fitted with additional memory or bigger hard disks to remain in service. If you do need a new computer, check the manufacturers website to how green (both in terms of power consumption and the components used) – and when choosing a manufacturer, consult independent organisations such as Greenpeace (www.greenpeace.org/electronics) who regularly monitor how well the main manufacturers are truly doing on the green front or visit the EPEAT website (www.epeat.net) where an increading number of PCs, notebooks and monitors are evaluated and scored according to set environmental criteria.

Think about refilling rather than discarding your printer cartridges. (But take care to check manufacturers warranty if your printer is new because sometimes use of third-party consumables can lead to warranty exclusions.) National companies such as Cartridge World have outlets across the UK where you can take your empty cartridges to be refilled. Or, if you prefer, you can also buy special kits and refill the cartridges yourself – though this can get messy and isn’t always particularly successful. By reusing your cartridges you will not only help save landfill space but you can save money.

Recycle! Under the European Union’s Waste Electrical and Electronic (WEEE) Directive, all manufacturers of electrical equipment are responsible for its environmentally friendly disposal, and the infrastructure required for collection. This allows old equipment to be reused and recycled where possible, with any potentially hazardous components properly disposed of. Your IT supplier may well have facilities in place to recycle your old equipment, if not consult your local council website or national one like www.recyclenow.co.uk.

Once again, the recycling efforts you probably make at home can be reproduced in the office. Don’t forget that not only can your waste paper be recycled, but cans, bottles, cardboard or even plastics. It might not be as easy or cheap (unlike the private house refuse collection facilities provided by councils, most commercial waste collectors will only provide recycling collection at an additional cost) but with a bit or organisation it can be done – and a bottle or can recycled from your office will save just as much energy and resources as one from home.

There are many green options available for smaller organisations and even small changes can make a difference to the environment – and also to your finances. Here are some links you may find useful:

www.netregs.gov.uk – Waste Legislation Information

www.itsnoteasybeinggreen.org/forum – Internet forum with ‘green office’ ideas (amongst many other green topics)

www.donateapc.org – “matchmaking” service for people wanting to get rid of old IT equipment and people wanting to recycle it

www.globalactionplan.org.uk – helping organisations reduce their environmental impact.

www.greenpeace.org/electronics – highlights green IT issues and produces regular reports of how much manufacturers are truly doing to be greener

www.epeat.net - contains details of of PCs, notebooks and monitors that have been evaluated and scored according to set environmental criteria

www.recyclenow.co.uk – website is dedicated to raising recycling awareness and promoting responsible waste management

Any questions or comments?  Or any useful websites you would like to see added to our list?  Just leave a comment or contact us (details on the About Us page) and we will do our best to help.

Put simply, Green IT is using your computing resources more efficiently. Some larger corporations are already taking steps to become more environmentally friendly. Quite apart from any concerns for our planet, they believe being green can reap benefits from cost savings to higher productivity. And of course better environmental credentials look very hip these days! But what does Green IT mean for the smaller organisations and what are some practical solutions?

These days there is much hype surrounding the Green IT issue. If you listened to all of it you would be scrapping your current IT for energy efficient PCs made from natural materials, ditching your servers for new high efficiency blade versions and encouraging your employees teleconference into work rather than drive. But if you take a step back and look at things more practically, it doesn’t take long to work out that (quite apart from the probably prohibitive costs involved) starting anew really isn’t an option that is cast-iron guaranteed to be more environmentally friendly long-term – particularly when you take into account the energy involved in producing all those new computers and shipping them all over the world, not to mention the cost, time & money to dispose of the old IT equipment that was still really working fine for you.

Don’t beat yourself up about the fact that you are not following every green recommendation or buying every new “greener” option. Remember that a lot of the people urging you to swap to those new greener options are not acting entirely out of concern for the planet – the sales of all that replacement kit does mean that those “go-green” pleas by the computer manufacturers are likely to be more than a little self-serving.

Hype aside, there are many small changes that you can make which when combined can still make a significant difference overall.

Next week we will go back to true green basics to look at some simple ways any organisation (however small) can make a difference.

Anti-spam solutions can basically be broken down into two types – hosted and in-house.

Hosted solution

A hosted solution routes your mail to your chosen service provider who scans then delivers it your own mail server. Those wishing to contact you will do so via your usual email address and you continue to send email as normal. The only difference is that your anti-spam service will automatically check and process your email so that all you should receive is clean mail, free of spam and viruses. This will considerably cut down on the amount of mail that your mail server has to receive – and with up to 98% of all current emails being reported to be spam, that can make a considerable dent on the bandwidth you will need from your ISP.

Because a hosted solution provider is monitoring so many emails, it is best placed to see new spam trends developing and so is generally quickest to put new measures into place as new waves of spam arrive. It will also scan mail through multiple anti-virus solutions, from various vendors, so you can normally expect better protection.

Of course the best bit is you don’t have to worry about managing the spam yourself (also taking away the worry of added costs) – the anti-spam provider will assume these responsibilities on your behalf and, since you will normally be paying monthly or yearly for their services, it is in their best interest to make sure they do the job well!

In-House Solutions

An in-house solution is one that is installed at your own offices that you administer yourself (or get someone to do for you). The solution could be software-based (either one piece of central software that scans all emails – normally before they get to your mail server, or software that is installed on each person’s individual PC) or it can be a complete hardware “box” (containing its own software) that you plug into your network.

As in-house solutions require administering, you will need to take into account that managing the spam yourself will take time and may result in additional costs. Also, in-house systems must wait for updates to be released from the system’s manufacturer and so could be slower to be updated with the latest protection. Then there is human error, which means that there is the possibility that available updates and patches can go uninstalled.

But on the plus side, if you don’t need a complicated “bells and whistles” anti-spam solution, you may well be able to get an in-house solution cheaper than a hosted one. And, in time, you will have a much better idea of the type and level of spam that is coming into your organisation – and how to deal with it.

Do you need it to be customisable?

Depending on your specific needs, the level of customisation offered may be an important factor when choosing a solution. Some solutions (both hosted and in-house) are more customisable than others. For example, if your organisation’s area of working means that you receive legitimate messages containing on ‘spam-popular’ words (concerned with debt reduction or pharmaceutical names for example), you might ideally want to look for a solution that gives the ability to let emails containing words in those specific areas through rather than immediately label them as spam.

There are also solutions that allow more flexibility at user level – so that the spam protection for some email addresses can be set to be more or less sensitive than others. So it is wise to think whether your organizations areas of work or working methods mean that your requirements are not best covered by a “one size fits all” solution.

Whatever type of solution you choose, you do need to be aware that no anti-spam solution, whether hosted or in-house, will be 100% accurate. From time to time it is possible that a genuine email will be classified as spam, or that spam will sneak past the filter, so you will still need to check your quarantined spam area regularly – and if the solution you choose includes a simple way of doing this, it will make your life easier.

So, to summarise:

• - Think about the emails your organisation receives and decide what level of customisation (if any) you are going to need from your anti-spam solution.
• - Consider how much time and expertise you have within your organisation to administer an anti-spam solution.
• - Work out the volume of email you receive and the proportion of the current total that is spam. If your ISP currently handles your mail, remember to factor in the additional bandwidth that will be taken up with spam when your ISP’s anti-spam protection is no longer in place – and any costs involved with that extra bandwidth. (Does your ISP charge you more if you go over a monthly limit?)

In the end, as with most things (particularly in IT!) it will probably come down to balancing the features you want or need with the budget and time you have at your disposal. But hopefully the information here will help you to make a more informed choice. And if you are still confused, leave a comment or contact us (details on the About Us page) and we will do our best to help.

Most organisations start off with their mail being hosted by an Internet Service Provider (ISP) such as Demon, Yahoo or AOL, but as they grow, they often wish to host their own mail server in order to give them more features and greater control and flexibility.

When we are asked to help, one of the things we stress to them is the need for some form of anti-spam protection to work alongside their new server. This sometimes comes as a bit of a surprise – the organisation may not have been particularly bothered with spam up to this point – and we have to explain why it is necessary. In part one of our entries on this topic, we cover some of the key reasons for this confusion.

We haven’t had a big problem with spam up to now

When using ISP hosted mail your ISP normally does a lot of work behind the scenes to ensure the integrity of your inbox. This may include:

• - Cross checking email destined for your inbox against a blacklist (a database of spam-offending domain names or IP addresses)
• - Checking incoming mail is being sent from a valid domain
• - Checking any attachments for dangerous content (for example certain file extensions or filenames known to be potentially dangerous)
• - Scanning for viruses

You may not be aware any of this ‘cleansing’ is happening but when you switch to an in-house mail server, mail will come directly to you rather than via your ISP, so this “invisible cleaning” service that has been protecting you up to now (even if you didn’t know it) will no longer be there.

We never publicise our email addresses so how will anyone know what they are to send spam to them?

Firstly, since email is such a common method of communication, not publicising email addresses really isn’t an option for most charities and NFPs these days.

Although it is fair to say the posting of your email address on various websites can make you more susceptible to spam, keeping a low profile will not necessarily ensure immunity. Spammers can be relentless in their pursuit – and have a veritable arsenal of tools to automate their work and make their lives easier.

Once you have your own domain name, details of the domain are available all over the internet to anyone who knows where to look – and will be obvious from your website address (www. mycharityname.org). Most organizations have some form of standard convention for allocating email names – and the spammers know all the common names and possible variations!

A common ploy is to send emails to numerous target addresses with slight variations of names – for example johnsmith@example.com, john.smith@ mycharityname.org or john_smith@ mycharityname.org. By sending to all possible variations, a spam address gatherer can easily find out which email addresses are likely to be real and “live” by the inclusion of seemingly innocuous coding in the spam message (a link to an online image for example) that sends them an alert when opened. Even if all users are scrupulous in never opening a message from unknown senders (often difficult in itself, since you can’t afford to ignore the emails of potential new donors or recipients), phishing can make an email message appear as if it was sent from a trusted known source, enticing the recipient to open the email and thereby notifying the spammer of a real live address.

OK – spam is annoying, but anti-spam solutions cost money – can’t we live with it?

Most e-mail spam began life as a relatively benign, but annoying, method of email advertising. Nowadays, much spam email contains malware – malicious programs and coding designed to destroy or compromise the security of your computers. Spam has taken on a more sinister and destructive guise.

Phishing can make an email message appear as if it was sent from a trusted known source, luring unwary recipients to potentially give up sensitive information.

Also, you can’t assume you will only receive a few spam emails a day. News of your email addresses will move out through the “spammer” community incredibly quickly and the spam will start to arrive the moment they receive your email addresses. Current statistics indicate that 90-99% of all email these days is spam. So even if your organisation only receives one of two “real” emails a day, these statistics indicate that without any spam protection, you are going to have to look through up to 99 messages of spam to find each real message. Quite apart from having to put up with the rather dubious content in the spam messages, do your people really have time to do this – and the focus not to miss the “real” messages amongst all that spam?

Basically, if you are going to run your own mail server, you are going to need some form of anti-spam solution to, at minimum, save your inboxes being overrun with junk mail. More seriously, your anti-spam can help save you network from the influx of potentially damaging malware by scanning and selectively delivering only safe items.

So now how do you choose what kind of anti spam solution will be best for your needs and budget? We will cover this in next week’s blog – but if you can’t wait that long just contact us (details on the About Us page) and we will be more than happy to discuss the options available with you.